Add MFA to Dashboard

CHANGELOG.md

@@ -4,6 +4,8 @@
 [Full Changelog](https://github.com/parse-community/parse-dashboard/compare/2.2.0...master)
 
 ## New Features
+- Add MFA to dashboard login. To use MFA, run `parse-dashboard --createMFA` or `parse-dashboard --createUser`. (Daniel Blyth) [#1624](https://github.com/parse-community/parse-dashboard/pull/1624)
+
 ## Improvements
 - Add CI check to add changelog entry (Manuel Trezza) [#1764](https://github.com/parse-community/parse-dashboard/pull/1764)
 - Refactor: uniform issue templates across repos (Manuel Trezza) [#1767](https://github.com/parse-community/parse-dashboard/pull/1767)

Parse-Dashboard/Authentication.js

@@ -3,6 +3,7 @@ var bcrypt = require('bcryptjs');
 var csrf = require('csurf');
 var passport = require('passport');
 var LocalStrategy = require('passport-local').Strategy;
+const authenticator = require('otplib').authenticator;
 
 /**
  * Constructor for Authentication class
@@ -21,14 +22,22 @@ function initialize(app, options) {
  options = options || {};
  var self = this;
  passport.use('local', new LocalStrategy(
- function(username, password, cb) {
+ {passReqToCallback:true},
+ function(req, username, password, cb) {
  var match = self.authenticate({
  name: username,
- pass: password
+ pass: password,
+ otpCode: req.body.otpCode
  });
  if (!match.matchingUsername) {
  return cb(null, false, { message: 'Invalid username or password' });
  }
+ if (match.otpMissing) {
+ return cb(null, false, { message: 'Please enter your OTP code.' });
+ }
+ if (!match.otpValid) {
+ return cb(null, false, { message: 'Invalid OTP code.' });
+ }
  cb(null, match.matchingUsername);
  })
  );
@@ -82,6 +91,8 @@ function authenticate(userToTest, usernameOnly) {
  let appsUserHasAccessTo = null;
  let matchingUsername = null;
  let isReadOnly = false;
+ let otpMissing = false;
+ let otpValid = true;
 
  //they provided auth
  let isAuthenticated = userToTest &&
@@ -90,6 +101,14 @@ function authenticate(userToTest, usernameOnly) {
  //the provided auth matches one of the users
  this.validUsers.find(user => {
  let isAuthenticated = false;
+ if (user.mfa && !usernameOnly) {
+ if (!userToTest.otpCode) {
+ otpMissing = true;
+ }
+ if (!authenticator.verify({ token:userToTest.otpCode, secret: user.mfa })) {
+ otpValid = false;
+ }
+ }
  let usernameMatches = userToTest.name == user.user;
  let passwordMatches = this.useEncryptedPasswords && !usernameOnly ? bcrypt.compareSync(userToTest.pass, user.pass) : userToTest.pass == user.pass;
  if (usernameMatches && (usernameOnly || passwordMatches)) {
@@ -99,13 +118,14 @@ function authenticate(userToTest, usernameOnly) {
  appsUserHasAccessTo = user.apps || null;
  isReadOnly = !!user.readOnly; // make it true/false
  }
-
  return isAuthenticated;
  }) ? true : false;
 
  return {
  isAuthenticated,
  matchingUsername,
+ otpMissing,
+ otpValid,
  appsUserHasAccessTo,
  isReadOnly,
  };

Parse-Dashboard/index.js

@@ -11,6 +11,7 @@ const path = require('path');
 const jsonFile = require('json-file-plus');
 const express = require('express');
 const parseDashboard = require('./app');
+const authenticator = require('otplib').authenticator;
 
 const program = require('commander');
 program.option('--appId [appId]', 'the app Id of the app you would like to manage.');
@@ -28,6 +29,8 @@ program.option('--sslKey [sslKey]', 'the path to the SSL private key.');
 program.option('--sslCert [sslCert]', 'the path to the SSL certificate.');
 program.option('--trustProxy [trustProxy]', 'set this flag when you are behind a front-facing proxy, such as when hosting on Heroku. Uses X-Forwarded-* headers to determine the client\'s connection and IP address.');
 program.option('--cookieSessionSecret [cookieSessionSecret]', 'set the cookie session secret, defaults to a random string. You should set that value if you want sessions to work across multiple server, or across restarts');
+program.option('--createUser', 'helper tool to allow you to generate secure user passwords and secrets. Use this once on a trusted device only.');
+program.option('--createMFA', 'helper tool to allow you to generate MFA secrets.');
 
 program.parse(process.argv);
 
@@ -57,6 +60,82 @@ let configUserPassword = program.userPassword || process.env.PARSE_DASHBOARD_USE
 let configSSLKey = program.sslKey || process.env.PARSE_DASHBOARD_SSL_KEY;
 let configSSLCert = program.sslCert || process.env.PARSE_DASHBOARD_SSL_CERT;
 
+const showQR = (text) => {
+ const QRCode = require('qrcode')
+ QRCode.toString(text, {type:'terminal'}, (err, url) => {
+ console.log(url)
+ })
+}
+if (program.createUser) {
+ (async () => {
+ const inquirer = require('inquirer');
+ const result = {}
+ const displayResult = {};
+ const {username, password} = await inquirer.prompt([{
+ type: 'input',
+ name: 'username',
+ message: 'Please enter the username:',
+ }, {
+ type: 'confirm',
+ name: 'password',
+ message: 'Would you like to generate a secure password?',
+ }]);
+ displayResult.username = username;
+ result.user = username;
+ if (!password) {
+ const {password} = await inquirer.prompt([{
+ type: 'password',
+ name: 'password',
+ message: `Please enter the password for ${username}:`,
+ }]);
+ displayResult.password = password;
+ result.pass = password
+ } else {
+ const password = require('crypto').randomBytes(20).toString('hex');
+ const bcrypt = require('bcryptjs');
+ const salt = bcrypt.genSaltSync(10);
+ const hash = bcrypt.hashSync(password, salt);
+ result.pass = hash;
+ displayResult.password = password;
+ }
+ const {mfa} = await inquirer.prompt([{
+ type: 'confirm',
+ name: 'mfa',
+ message: `Would you like to an MFA secret for ${username}?`,
+ }])
+ if (mfa) {
+ const secret = authenticator.generateSecret();
+ result.mfa = secret;
+ displayResult.mfa = authenticator.keyuri(username, configAppName || 'Parse Dashboard', secret);
+ }
+ const proc = require('child_process').spawn('pbcopy');
+ proc.stdin.write(JSON.stringify(displayResult));
+ proc.stdin.end();
+ console.log(`\n\nYour new user details' raw credentials have been copied to your clipboard. Add the following to your Parse Dashboard config:\n\n${JSON.stringify(result)}\n\n`);
+ if (displayResult.mfa) {
+ showQR(displayResult.mfa)
+ console.log(`After you've shared the QR code ${username}, it is recommended to delete any photos or records of it.\n`)
+ }
+ })();
+ return;
+}
+if (program.createMFA) {
+ (async () => {
+ const inquirer = require('inquirer');
+ const {username} = await inquirer.prompt([{
+ type: 'input',
+ name: 'username',
+ message: 'Please enter the name of the user you would like to create MFA for:',
+ }]);
+ const secret = authenticator.generateSecret();
+ console.log(`Please add this to your dashboard config for ${username}.\n\n"mfa":"${secret}"\n\n\n\n\nAsk ${username} to install an Authenticator app and scan this QR code on their device:\n`)
+ const url = authenticator.keyuri(username, configAppName || 'Parse Dashboard', secret);
+ showQR(url);
+ console.log(`After you've shared the QR code ${username}, it is recommended to delete any photos or records of it.\n`)
+ })();
+ return;
+}
+
 function handleSIGs(server) {
  const signals = {
  'SIGINT': 2,

README.md

@@ -61,7 +61,7 @@ parse-dashboard --dev --appId yourAppId --masterKey yourMasterKey --serverURL "h
 
 You may set the host, port and mount path by supplying the `--host`, `--port` and `--mountPath` options to parse-dashboard. You can use anything you want as the app name, or leave it out in which case the app ID will be used.
 
-NB: the `--dev` parameter is disabling production-ready security features, do not use this parameter when starting the dashboard in production. This parameter is useful if you are running on docker. 
+NB: the `--dev` parameter is disabling production-ready security features, do not use this parameter when starting the dashboard in production. This parameter is useful if you are running on docker.
 
 After starting the dashboard, you can visit http://localhost:4040 in your browser:
 
@@ -245,7 +245,7 @@ You can set `appNameForURL` in the config file for each app to control the url o
 
 To change the app to production, simply set `production` to `true` in your config file. The default value is false if not specified.
 
- ### Prevent columns sorting 
+ ### Prevent columns sorting
 
 You can prevent some columns to be sortable by adding `preventSort` to columnPreference options in each app configuration
 
@@ -378,7 +378,7 @@ You can configure your dashboard for Basic Authentication by adding usernames an
 ```
 
 You can store the password in either `plain text` or `bcrypt` formats. To use the `bcrypt` format, you must set the config `useEncryptedPasswords` parameter to `true`.
-You can encrypt the password using any online bcrypt tool e.g. [https://www.bcrypt-generator.com](https://www.bcrypt-generator.com).
+You can generate encrypted passwords by using `parse-dashboard --createUser`, and pasting the result in your users config.
 
 ### Separating App Access Based on User Identity
 If you have configured your dashboard to manage multiple applications, you can restrict the management of apps based on user identity.
@@ -452,15 +452,15 @@ You can mark a user as a read-only user:
  "appId": "myAppId1",
  "masterKey": "myMasterKey1",
  "readOnlyMasterKey": "myReadOnlyMasterKey1",
- "serverURL": "myURL1", 
+ "serverURL": "myURL1",
  "port": 4040,
  "production": true
  },
  {
  "appId": "myAppId2",
  "masterKey": "myMasterKey2",
  "readOnlyMasterKey": "myReadOnlyMasterKey2",
- "serverURL": "myURL2", 
+ "serverURL": "myURL2",
  "port": 4041,
  "production": true
  }
@@ -495,7 +495,7 @@ You can give read only access to a user on a per-app basis:
  "appId": "myAppId1",
  "masterKey": "myMasterKey1",
  "readOnlyMasterKey": "myReadOnlyMasterKey1",
- "serverURL": "myURL", 
+ "serverURL": "myURL",
  "port": 4040,
  "production": true
  },
@@ -536,7 +536,7 @@ You can provide a list of locales or languages you want to support for your dash
 
 ## Run with Docker
 
-The official docker image is published on [docker hub](https://hub.docker.com/r/parseplatform/parse-dashboard) 
+The official docker image is published on [docker hub](https://hub.docker.com/r/parseplatform/parse-dashboard)
 
 Run the image with your ``config.json`` mounted as a volume